CVE-2024-1170

HIGH

WordPress UGC <2.8.7 - Info Disclosure

Title source: llm
STIX 2.1

Description

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to delete arbitrary media files.

Scores

CVSS v3 8.2
EPSS 0.0073
EPSS Percentile 49.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
themekraft/Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.7
themekraft/post_form < 2.8.8
Published Mar 07, 2024
Tracked Since Feb 18, 2026